Data Protection Notice

We handle your personal data confidentially and in accordance with the provisions of the applicable data protection laws as well as with this Data Protection Notice. With the following information we inform you about the nature, scope and purposes of the collection and processing of personal data.

This information is intended for the visitors and users of our web pages and mobile applications (hereinafter referred to collectively as “Website”), for persons with an interest in standardization activities, bidders in requests for proposal, members, business partners, customers and visitors to our events. 

1. Identity of the data controller

VDE Prüf- und Zertifizierungsinstitut GmbH
Represented by the Executive Board
Merianstr. 28
63069 Offenbach
Germany

Phone +49 69 6306-0
vde-institut@vde.com

(hereinafter referred to as “VDE“, “we” or “us”) is the data controller.

2. Data Protection Officer

You can contact our Data Protection Officer at: 
Data Protection Officer VDE
Verband der Elektrotechnik Elektronik Informationstechnik e.V.

Merianstraße 28
63069 Offenbach am Main
Germany

Phone +49 69 6308-0
datenschutz@vde.com

3. Personal data

Personal data is information that can be used to identify a person, i.e. information that can be traced back to a person. This typically includes their name, e-mail address or phone number. However, purely technical data that can be ascribed to a person is also to be considered personal data.

Among other things, we process the following types of personal data in the normal course of proceedings:

• Information for personal identification, e.g. first name and last name, private address, date of birth, place of birth, gender, work-related photographs, private landline and/or mobile number, private e-mail addresses, academic title, job title;
• Memberships in individual VDE committees;
• Access data for the individual VDE committee pages;
• Key points of interest of members and experts;
• Training or studies, including dates;
• Participation in events;
• Industry/employer/company/organizations;
• Photos/videos;
• Bank account details;
• Collection data (debtors, address details, etc.)

4. Overview of individual procedures/legal bases

We process your personal data using the procedures described below for these defined purposes:

4.1. Membership administration

We process your data in order to fulfil the purposes under our articles of association and to administer our membership database. This processing may be performed using applications.
Legal basis:
We process this data in accordance with Art. 6 (1) b) GDPR. Under this legal basis, data processing is lawful if it is necessary for the performance of a contract to which the data subject is party. The purpose of membership administration is the performance of the membership contract between us and the member.

4.2. New member acquisition

We process your data to acquire new members.
Legal basis:
We process this data in accordance with Art. 6 (1) a) GDPR. Data processing is lawful if the data subject has consented to the processing of personal data about them for one or more specific purposes.
We also process this data in accordance with Art. 6 (1) f) GDPR. Data processing is lawful if there is a legitimate interest of the controller (in this case: direct marketing to acquire new members), without violating the interests or basic rights of the data subject.

4.3. Compensation and reimbursement of travel expenses

We process data for compensation and the reimbursement of travel expenses.
Legal basis:
We process this data in accordance with Art. 6 (1) b) GDPR. Under this legal basis, data processing is lawful if it is necessary for the performance of a contract to which the data subject is party. The purpose of compensation and the reimbursement of travel expenses is the performance of the contract between us and the member or expert.

4.4. Processing for standardisation purposes and committee work

We process personal data of our members and experts in order to invite you to events, committee meetings and standardisation groups and for the purposes of reporting to other standardisation organisations like DIN, CEN and CENELEC and international standardisation organisations like ISO and IEC.
Legal basis:
We process this data in accordance with Art. 6 (1) b) GDPR. Under this legal basis, data processing is lawful if it is necessary for the performance of a contract to which the data subject is party. Invitations to these events on standardisation work form part of the performance of the membership contract or the contract between us and the expert.

4.5. Processing for information, presentation and marketing purposes

We process data for information, presentation and marketing purposes in printed and digital advertising materials and on our website.
Legal basis:
We process this data for information, presentation and marketing purposes only on the basis of consent given in accordance with Art. 6 (1) a) GDPR. This authority allows for the processing of personal data when you have given consent to the processing of your personal data for one or more specific purposes.

4.6. Processing for invitations to VDE events

We process data for invitations to events arranged by VDE and the departments (ITG, GMM etc.), training courses, exchange meetings and delegate conferences in order to inform you about these events in accordance with the purpose of VDE as set out in its articles of association.
Legal basis:
The legal basis for the above data processing is Art. 6 (1) f) GDPR. This statutory permission allows for the processing of personal data as part of the controller's "legitimate interest", provided that your fundamental rights, fundamental freedoms or interests are not overriding. We have a legitimate interest in providing information about our events.

4.7. Processing for performance of events

We process data from members, experts and other third parties in order to perform VDE events to which you have signed up.
Legal basis:
We process this data in accordance with Art. 6 (1) b) GDPR. Under this legal basis, data processing is lawful if it is necessary for the performance of a contract to which the data subject is party. Data is processed in order to perform a contract in relation to the event.

4.8. Surveys

We process your data to conduct questionnaires, surveys or interviews in order to tailor our services to the needs of our members.
Legal basis:
We process this member data in accordance with Art. 6 (1) b) and f) GDPR. Data processing is lawful if it is necessary for the performance of a contract to which the data subject is party; or the controller has a legitimate interest (in this case, the member satisfaction surveys to fulfil the purposes of the articles of association), without violating the interests or basic rights of the data subject.

5. Overview of individual procedures on our Website

Personal data are processed on our Website during the following procedures:

5.1. Contact

We process the information provided by you when contacting us (such as via contact form or e-mail) exclusively for handling your query.

Legal basis:
We process this data in accordance with Art. 6 (1) f) GDPR. Accordingly, the processing of personal data is allowed as part of the controller's "legitimate interest", provided that your fundamental rights, fundamental freedoms or interests are not overriding. We have a legitimate interest in processing your inquiry. If contact is aimed at the conclusion of a contract, an additional legal basis for processing is Article 6 (1) b) GDPR. Under this legal basis, data processing is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

The personal data saved as part of this contact are deleted once the matter associated with the contact has been resolved in full and it can also be presumed that this particular contact will not be relevant again in future.

5.2. Cookies

Our Website uses different types of cookies. Technically required cookies are processed on the basis of Art. 6 (1) f) GDPR. We have a legitimate interest in the error-free presentation of our content. Cookies that are not needed for technical operations (performance cookies, functional cookies and marketing cookies), are used with your consent on the basis of Art. 6 (1) a) GDPR. Complete information on the use of cookies, your consent, and your right of withdrawal can be found in our Cookie Notice.

5.3. Social plugins

We use social plugins from social networks (e.g. Facebook, Twitter, Xing, LinkedIn and YouTube) on our Website. You can use these functions to share specific content of the Website with your friend on the respective social networks or to recommend this content.

Please note that we do not use any social plugins that automatically collect data during your time on the Website and forward this data to the operators of the social media platforms.
We would also like to point out that the data collected in conjunction with the social plugins can be shared exclusively between your browser and the operator of the social networks. We have no knowledge of the content, the processing or the scope of the data that is collected and transferred. With this in mind, we recommend that you read the current privacy notices of the respective social network providers. The address of each social plugin provider and the URL with their privacy notices can be found at:

• Facebook Irland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Irland;
  http://www.facebook.com/policy.php;
  Further information on data collection: http://www.facebook.com/help/186325668085084.
• Google LLC., 1600 Amphitheater Parkway, Mountainview, California 94043, USA;
  https://www.google.com/policies/privacy/partners/?hl=de.
• Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA;
  https://twitter.com/privacy.
• Xing SE, Dammtorstraße 30, 20354 Hamburg, Germany;
  http://www.xing.com/privacy.
• LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2 Irland;
  http://www.linkedin.com/legal/privacy-policy.
• YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA
  https://policies.google.com/privacy?hl=de&gl=de

5.4. Embedded YouTube videos

Playback of the YouTube videos embedded in our Website uses the YouTube video platform, operated by YouTube, LLC, 901 Cherry Ave. San Bruno, CA 94066, USA (“YouTube”). Data (including personal data) is also transmitted in the process to YouTube as the controller. We have no influence over the processing of this data by YouTube. For more information about the scope and purpose of the data collected and its further processing and use by YouTube, about your rights and the data protection options you can select, please see YouTube's privacy policy.

5.5. VDE4YOU customer portal - feedback form for the VDE Institute

Our VDE4YOU customer portal is provided for you to securely transfer data and to access various information. You also have the option of sending us feedback.

If you would like to use the VDE4YOU customer portal, you first need to have registered in writing by providing your first name, surname, e-mail address, your company and your company's customer number. You will then be given the option of authorising additional users from your company to have access to the customer portal.

After registration, your authentication information will be e-mailed to you, which will allow you to have access the customer portal and thus access to order documentation, order status and information we have compiled for you.

We process the data you provide during registration in order to offer you the services on our customer portal and to prevent unauthorised use of the customer portal. Your data are not shared with third parties and are not used for any purpose other than the one specified. No cookies are used on the customer portal site.

Legal basis:
The legal basis for the processing of your personal data is Article 6 (1b) GDPR, particularly the existing agreement with us regarding the services offered on the customer portal.

Feedback form
You have the option of sending us feedback using a contact form with your first name, surname, email address, phone number and your customer/order/certificate number.

Legal basis:
These data are processed in order to examine the feedback and for anonymous evaluation as part of our company purpose. By contacting us, you consent to having us process your data for this purpose pursuant to Article 6 (1a) GDPR. You can withdraw your consent at any time with future effect. It is then not possible to process the feedback, however.

The data processed by us during the use of certain Website features, e.g. e-mail contact or use of the VDE4YOU customer portal, are saved only as long as needed to perform or carry out the particular function or service.

5.6. Newsletter and updates

We use the information you enter on our Website, e.g. title, academic title, first name, surname and e-mail address to send you the newsletter and event updates.
Once you have registered on our Website, we e-mail you at the address to request your confirmation in order for you to subscribe to our newsletter and to event updates. If you do not confirm your registration within [24 hours], your information is blocked and deleted. We also save the IP addresses you used and the times of registration and confirmation. The purpose of this procedure is to verify your registration and to be able to investigate any misuse of your personal data.
This data processing is based on your consent, which you gave upon subscribing to the newsletter and the event updates.
Legal basis:
Pursuant to Arti. 6 (1a) GDPR, data processing is permitted if you have given consent for data processing for one or more specific purposes.
Your consent to sending the newsletter and to the event updates can be withdrawn at any time. An e-mail sent to the Data Protection Officer is sufficient for this.
The personal data saved during subscription to the newsletter and to the event updates are deleted if you have successfully unsubscribed from the newsletter and the event updates.

6. Microsoft Teams video conferencing software

We use Microsoft Teams for our telephony as well as for video conferences or online events. You can use Microsoft Teams if, for example, you receive an invitation to a meeting with a meeting ID and, if applicable, further access data by e-mail or you can participate in a meeting via the Teams app. By accessing the Microsoft Teams website, Microsoft is responsible for data processing. You will need to visit the website (https://teams.microsoft.com/) to download the necessary software only if you are unable to use it directly through your web browser without downloading it.

A quick start guide for new users of MS Teams and an extensive video tutorial are available from Microsoft via the following links: Microsoft Teams Video Tutorial – Office Support,  https://cloudblogs.microsoft.com/industry-blog/de-de/uncategorized/2020/05/14/microsoft-teams-video-tutorials-nutzliche-tipps-und-tricks/.
To avoid technical delays during meetings, we recommend that you familiarize yourself with the software prior to a video conference.
Microsoft Teams is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

6.1. Necessary consent to the privacy statement and terms of use of Microsoft and Microsoft Teams

To use Microsoft Teams, you must accept both the terms of use (https://www.microsoft.com/de-de/servicesagreement/) and the Microsoft privacy statement (https://privacy.microsoft.com/de-de/privacystatement), as using MS Teams is generally subject to these terms of use and the privacy statement. Otherwise it will not be possible to use MS Teams.

For details of what data is collected by Microsoft Teams and for what purpose, see: (https://learn.microsoft.com/de-de/microsoftteams/teams-privacy) 

Other recipients: Microsoft Corporation, as the provider of MS Teams, obtains knowledge of the above data to the extent provided for in the order processing contract with MS Teams. Microsoft is obliged to comply with the legal requirements of the applicable data protection law by means of the processing agreement concluded with MS Teams, on the basis of EU standard contractual clauses. 

6.2. Data processing outside the European Union

We have limited our storage location to data centres in the European Union, therefore data processing is generally not performed outside the European Union (EU). However, we cannot technically completely rule out that data may be routed or stored on servers outside the European Union by the processor Microsoft. A secure level of data protection is guaranteed by the conclusion of supplemented EU standard data protection clauses and technical and organisational measures. In particular, data is encrypted during transport via the Internet and is generally protected from disclosure to third parties. Regarding personal data stored by Microsoft in the USA and Europe that may be subject to government requests for information from authorities in the USA, in a statement dated 20 July 2020, Microsoft warrants that such orders that would allow access to personal data will be challenged in court. In addition, as part of a legal settlement, Microsoft has acquired the right to disclose transparent reports on the number of USA national security orders directed to Microsoft. New policies have also been introduced within the US government that have restricted the use of confidentiality orders (see https://news.microsoft.com/de-de/stellungnahme-zum-urteil-des-eugh-was-wir-unseren-kunden-zum-grenzueberschreitenden-datentransfer-bestaetigen-koennen/). The level of data protection is considered sufficient when compared to the anticipated content of the video conferences, which generally do not include personal data aside from the names of the individuals participating in the video conference. 

6.3.    Further information on data protection by Microsoft Corporation and MS Teams

Please refer to Microsoft’s data privacy statement available at https://privacy.microsoft.com/de-de/privacystatement, under the section “Online services for companies”, as well as https://www.microsoft.com/de-de/trust-center/privacy/customer-data-definitions in connection with the Microsoft Data Protection Addendum on Microsoft products and services), in particular Annex 1 https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA?lang=14&year=2022.

7. Image, sound and media recordings

7.1. Events

VDE is entitled, but not obliged, to take photographs, record films or make other media recordings at its events or to arrange for this to be done.

These recordings are made for publication, presentation and information purposes, including on our Website, in VDE publications, on social media and in the press. 

Participants who do not wish to be photographed or otherwise recorded are requested to inform the seminar leader or event staff accordingly.

Legal basis:
We process this data in accordance with Art. 6 (1) f) GDPR. Under this legal basis, processing for the purposes of the “legitimate interest” by the controller is lawful if the processing is required to protect the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 

We have a legitimate interest in our public relations activities and in presenting the events and activities of VDE in order to provide interesting insights into the activities of VDE .

Extensive information in accordance with Art. 13 GDPR can be found in the notes that are available at the participant reception desk.

7.2. Recordings of meetings or presentations via Microsoft Teams

Recordings may be made of meetings or presentations via MS teams in accordance with No. 6, provided that consent has been given. These recordings may be required, for example, in order to create minutes of meetings that are true to the content, to re-listen to presentations or to make them accessible to a wider audience.

If a recording is made, it will be stored in the Teams Cloud and will be available there to all persons participating in the Teams meeting (hereinafter referred to as the “owner”) for a period of 21 days.

Note: During this time, it is also possible that the recording can be downloaded to other storage media not under the control of VDE.

The recording will also automatically be stored in the owner’s personal Microsoft Stream Cloud and can also be downloaded from there. The recording is generally stored here for an unlimited period of time, but can be deleted by the owner or the VDE IT administrators and the Microsoft administrators.

If the recorder, the owner, or a VDE IT administrator deletes the recording from the Teams Cloud, Microsoft will ensure that all copies of the personal data are deleted from the Microsoft Stream Cloud within 30 days.

Note: Currently, only people from the VDE organisation can start or access recordings through Teams.

For more information on managing recordings and user access, see:

• Managing user data in Microsoft Stream (classic) – Microsoft Stream | Microsoft Learn
• Permissions and privacy in Microsoft Stream (classic) – Microsoft Stream | Microsoft Learn

7.3. Microsoft Teams encryption

Transferred and stored data from MS Teams is encrypted. To do this, Microsoft uses standard technologies such as TLS and SRTP to encrypt all data in transit between users’ devices and Microsoft data centres and between Microsoft data centres. This includes, for example, messages, files (video, audio, etc.), and other content. Dormant company data in Microsoft data centres is also encrypted in a way that allows VDE to decrypt content when needed.

MS Teams also uses TLS and MTLS to encrypt chat messages. All “server-to-server” traffic requires MTLS, whether the traffic is restricted to the internal network or crosses the internal network perimeter. 

Further information on how Microsoft Teams encrypts data:

• Microsoft Teams Security Handbook – Overview – Microsoft Teams | Microsoft Learn

Legal basis
We process this data in accordance with Article 6 (1) a) GDPR. This authority allows for the processing of personal data when you have given consent to the processing of your personal data for one or more specific purposes. In each case, the consent of the data subjects will be obtained and recorded prior to any recording via MS Teams.
 

8. Recipients of personal data

As a matter of principle, your personal data is processed by us. VDE transmits data to third parties (in particular, to international standards organisations) only when there is a corresponding legal basis; in particular, this is the case if consent has been given to such transmission, if this is required in order to perform a contract, if this is justified by the balance of interests – particularly within the VDE Group – or if this is necessary in order to comply with statutory requirements obliging us to provide, report or pass on data.

Some of the software applications we use for data processing are hosted by VDE Services GmbH, Frankfurt am Main, Germany. VDE Services GmbH acts solely and exclusively on our behalf and in accordance with our instructions. VDE Services GmbH is regularly checked by us. VDE Services GmbH is a subsidiary of VDE e.V.

Various VDE events are performed by EW Medien und Kongresse GmbH, Kaiserleistr. 8A, 63067 Offenbach am Main, Germany. EW Medien und Kongresse GmbH acts solely and exclusively on our behalf and in accordance with our instructions. EW Medien und Kongresse GmbH is regularly checked by us.

We also commission external service providers that act on VDE’s behalf and in accordance with VDE’s instructions.

Within VDE, the internal offices and departments only receive the personal data that is necessary and required to perform the respective tasks.

9. Processing of your data in a third country

Data is transmitted to parties in countries outside the European Union (EU) or the European Economic Area (EEA) (“third countries") when there is a corresponding legal basis, e.g. if consent has been given, if this is required in order to perform a contract or if this is required by law.

Personal data can be transmitted to (standards) organisations in third countries outside the EU/EEA that do not have an adequate level of data protection approved by the EU Commission if you have provided your express consent.

Your data may also be processed in a third country as a result of the involvement of service providers in processing.

If there is no adequacy decision by the European Commission concerning an adequate level of data protection for the respective country, we conclude corresponding contracts in order to ensure that your rights and freedoms are adequately protected and guaranteed in line with EU data protection regulations. Corresponding information are available on request from VDE.

10. Data security

The personal data processed by us is treated confidentially and suitable technical and organisational precautions are used to protect it from loss and changes as well as unauthorised access by third parties. E-mail communication is not suitable for the unencrypted transfer of confidential information. In order to exchange messages that require protection, we strongly recommend the use of the latest encryption processes.

11. Your rights

If the statutory requirements are met, you have the right to request access to your personal data and data processing (Article 15 GDPR), correction, deletion and restriction of your personal data and data processing (Articles 16 through 18 GDPR) and transmission of your personal data (Article 20 GDPR).

If the statutory requirements are met pursuant to Article 21 GDPR, you also have a right to object to data processing. If the statutory requirements are met, you can withdraw the consent you have given in full or in part at any time with future effect.

In order to exercise any of these rights, it is sufficient to send an e-mail to: datenschutz@vde.com or a letter to:

Data Protection Officer
VDE Verband der Elektrotechnik Elektronik Informationstechnik e.V.

Merianstraße 28
63069 Offenbach am Main
Germany

In accordance with Art. 77 (1) GDPR, you also have the right to complain to the supervisory authority if you are of the opinion that the processing of your personal data is not done in a lawful manner, and in particular that it violates the GDPR.

Address of a supervisory authority:

The Data Protection Officer of Hesse
Gustav-Stresemann-Ring 1
65189 Wiesbaden, Germany

Phone +49 611 1408-0,
poststelle@datenschutz.hessen.de

12. Duration of data storage

We store the personal data using the procedures listed above only as long as needed for the intended purpose or as required by law. (For instance, under commercial and tax laws, for a period of at least six to ten years).

Various data, such as names in standardisation meeting reports or at delegate conferences, is permanently archived for documentation purposes.

13. Voluntary nature of provision of data

You are generally neither legally nor contractually bound to provide your personal data. You are not obliged to provide us with this data. Nevertheless, the provision of the functions of our Website and the execution of an order requires the processing of your personal data. In addition, the collection of certain personal data is necessary because, for example,

• participation in events, applications,
• the fulfilment of the membership contract
• and the performance of standardisation and committee work with VDE

are not possible without this data.